[00:00.000 --> 00:05.300]  Welcome to the presentation about Cotopaxi toolkit for testing IoT devices.
[00:05.720 --> 00:10.620]  At the beginning, a short introduction about myself. My name is Jakub Botwicz. Currently,
[00:10.620 --> 00:16.220]  I work in Samsung R&D Center in Poland, where I lead a small team of security pen testers.
[00:16.320 --> 00:23.580]  In recent three years, I have reported more than 30 CVEs to different open source components,
[00:23.580 --> 00:28.660]  mostly IoT libraries. In my free time, I climb and trek in the mountains,
[00:28.660 --> 00:33.120]  especially I love active volcanoes, which inspired the name of the toolkit.
[00:33.520 --> 00:37.540]  I would like to acknowledge also other contributors who added new features or
[00:37.540 --> 00:41.640]  performed quality reviews of the tool. They are listed on the slide.
[00:42.760 --> 00:48.120]  What was the idea for Cotopaxi? One thing is that the overall security level of IoT devices
[00:48.120 --> 00:53.660]  is still very low, so there is a lot of testing to do. Another topic is that there are new
[00:53.660 --> 01:01.320]  protocols used mainly in IoT devices like Coop, DTLS, or MQTT, and most of these new protocols
[01:01.320 --> 01:08.160]  are not supported by security testing tools. If you look at the slide, you will see the
[01:08.160 --> 01:14.680]  landscape of security tools for IoT devices when we started preparing Cotopaxi back in 2017.
[01:14.740 --> 01:21.740]  There were lots of gaps and the major tool Shodan search engine could be used only for
[01:21.740 --> 01:29.420]  public devices. Currently, the situation changed a little bit for better with the new tools that
[01:29.420 --> 01:37.220]  appeared during last years. But still, when you have a look at specific protocols, there are still
[01:37.220 --> 01:44.320]  multiple gaps to fill. For example, when you run nmap scan on a device using Coop protocol on
[01:44.320 --> 01:51.320]  non-standard port, you will receive a lot of unknown protocols or wild guesses based only on
[01:51.320 --> 02:02.420]  port numbers. Similarly, in Wireshark, it supports most of new protocols but only on standard ports.
[02:02.420 --> 02:13.160]  On the slide, you can see example of Coop traffic that was shown as unknown UDP protocol.
[02:14.100 --> 02:20.020]  Only after manual change using decodeS function, you will receive decoded Coop packets.
[02:21.320 --> 02:28.540]  So, when in 2017 our team performed large-scale assessment of multiple IoT components, we got
[02:28.540 --> 02:34.940]  ideas for new tools, large corpus with malformed packets and a pack of new vulnerabilities.
[02:36.500 --> 02:40.880]  All of that was used as a foundation for Cotopaxi.
[02:43.340 --> 02:48.980]  The most important information about Cotopaxi, it was released to public as an open source
[02:48.980 --> 02:57.340]  project under GPL2 license. It is available in the public github repository in the Samsung
[02:57.340 --> 03:03.370]  organization. Currently, this is the fourth release of the tool with new features and vulnerabilities.
[03:04.180 --> 03:09.000]  When it comes to this strange name, Cotopaxi is an active volcano in Ecuador
[03:09.000 --> 03:16.700]  and it's quite interesting target for climbing. Cotopaxi can be used by different security
[03:16.700 --> 03:22.120]  personnel. If you're a pentester, you can use it when you're performing black box assessment
[03:22.860 --> 03:31.460]  of large environments like smart home, smart factory or smart city. If you're a security
[03:31.460 --> 03:37.760]  researcher, you can analyze network traffic of tested device identifying known vulnerabilities
[03:37.760 --> 03:45.780]  or check for OEM devices. And finally, if you're a developer or vendor, you can
[03:45.780 --> 03:51.540]  fuzz your devices and check whether they can be used in distributed denial of service attacks.
[03:52.520 --> 03:57.880]  Currently, there are 10 tools in the toolkit and they support different phases of penetration
[03:57.880 --> 04:05.180]  testing. Starting from the reconnaissance phase, there is a service ping that checks availability
[04:05.180 --> 04:11.860]  of endpoints for specific protocols. The next one is security scanner that allows to verify
[04:11.860 --> 04:19.120]  security properties like cryptography, certificates and so on. Deer buster for
[04:19.780 --> 04:26.020]  resource listing in various protocols. Software finger painter that classifies
[04:26.020 --> 04:32.220]  software components used by the server. And the new tool for device identification
[04:32.220 --> 04:38.100]  that passively analyze traffic and classify devices using machine learning.
[04:39.050 --> 04:44.600]  In the pre-exploitation phase, there are amplification sniffer for detecting traffic
[04:44.600 --> 04:54.580]  amplifiers, protocol fuzzer in two versions for testing clients and servers and known
[04:54.580 --> 05:03.520]  vulnerability tester also in two versions. Cotopaxi currently support 10 protocols.
[05:03.520 --> 05:12.040]  Three of them were added in this version. These are advanced message queuing protocol AMQP,
[05:12.040 --> 05:20.980]  MQTT for sensor networks and the QUIC protocol. I will shortly tell about two of them.
[05:21.440 --> 05:29.660]  QUIC is the new protocol designed by Google and widely used in their applications and IoT devices.
[05:30.140 --> 05:37.900]  It is mainly like TCP and TLS in one with support for multiple streams and low latency
[05:37.900 --> 05:47.800]  and connection setup. And it's also UDP based. The second of new protocols is MQTT-SN.
[05:47.800 --> 05:56.520]  This is an UDP clone of the most popular IoT protocol MQTT. It was designed for
[05:57.160 --> 06:02.680]  sensor networks, what is quite popular in IoT world.
[06:04.360 --> 06:12.920]  First and basic tool in the Cotopaxi toolkit is ServicePink. It's used by all other tools
[06:14.320 --> 06:20.400]  to check whether there's an active server of protocol at a specific address and port.
[06:20.980 --> 06:24.680]  It uses a set of payloads for each protocol to test
[06:25.280 --> 06:31.760]  endpoints. And this is an extension of usual port scan using NMAP.
[06:32.640 --> 06:39.220]  The next tool is ServiceFingerprinter. This is an equivalent to NMAP, service and application
[06:39.220 --> 06:47.060]  version detection. However, NMAP works only using server responses comparison for a list of inputs,
[06:47.060 --> 06:53.900]  while Cotopaxi uses machine learning classifier based on the number of requests and responses.
[06:55.600 --> 07:01.540]  The next tool is used for device identification. This is a new feature in this version.
[07:01.660 --> 07:08.760]  It is based on two large corpuses of IoT traffic provided by authors of papers listed on the slide.
[07:09.320 --> 07:14.560]  After recording sample of traffic, we can classify all devices that were
[07:16.320 --> 07:25.080]  communicating. But you need to make sure that you have captured all of packets going in and out
[07:25.080 --> 07:34.280]  of device, so that the classification results were accurate. The next tool performs resource listing
[07:34.280 --> 07:40.380]  and it's similar to popular dirbuster, but works for a wider range of protocols like
[07:40.940 --> 07:49.160]  co-op, multicast DNS, SSDP, RTSP. You need to provide a list of resource names and Cotopaxi
[07:49.160 --> 07:55.720]  will check each of them on the server. There are some predefined lists for each protocol available
[07:55.720 --> 08:04.840]  in the list's subdirectory. The next feature is a protocol fuzzer. It is using
[08:05.720 --> 08:12.660]  corpus of malformed packets prepared using American Fuzzalab fuzzer and it checks whether
[08:12.660 --> 08:20.540]  device crashed after receiving packet or what was the time of packet processing. Usually packets
[08:20.540 --> 08:27.820]  processed longer are more interesting for further analysis and mutations and can be used for next
[08:27.820 --> 08:36.200]  steps of fuzzing. The next tool is vulnerability tester. We have five classes of vulnerabilities
[08:36.200 --> 08:42.740]  information disclosures, crashes, traffic amplifications, memory leaks, and remote code
[08:42.740 --> 08:50.380]  execution. In this version we have 10 new vulnerabilities that were added to the database
[08:50.950 --> 09:01.480]  and in total 34 issues. Here we can see a sample of vulnerabilities found by us and
[09:02.590 --> 09:09.240]  that can be identified by Cotopaxi. For example we have here a malformed DNS packet that
[09:09.240 --> 09:18.940]  that cause infinite loop in tiny svc mdns server or a single packet that induce six packets
[09:18.940 --> 09:24.860]  in response from the server which can be used for distributed denial of service attacks.
[09:26.360 --> 09:33.680]  And the last but not least tool in our toolkit is the amplification sniffer that dumps all packets
[09:33.680 --> 09:41.020]  and analyze input and output of the server, calculate the amplification factor for tested
[09:41.020 --> 09:48.860]  device. Short information how IoT devices can be used to perform distributed denials of service
[09:48.860 --> 09:55.380]  attacks. It is possible after identifying a large number of vulnerabilities devices
[09:56.040 --> 10:04.540]  that attacker sends packets with spoofed source addresses and device send responses to victim
[10:05.480 --> 10:12.880]  causing traffic overload. It's possible easily in UDP-based protocols where there is no handshake
[10:12.880 --> 10:19.980]  at the beginning of communications. So UDP-based protocols like co-op or DTLS can be used for such
[10:19.980 --> 10:29.780]  attacks. So finally before we start the demo, short information what you can do to start with
[10:29.780 --> 10:38.220]  Cotopaxi. First download the tool from the repository, read the manual and install it.
[10:38.220 --> 10:47.260]  Of course use it and hack different devices but only when you have a consent of the owner or you
[10:47.260 --> 10:55.720]  are the owner. If you find any errors in the toolkit please report it using GitHub issues.
[10:56.080 --> 11:00.860]  Using the same way you can contribute new vulnerabilities or new code.
